We kill people based on metadata

By Matthew Davis


The government is fervently trying to convince the nation that mandatory retention of metadata will help stop terrorists, without impacting privacy. However, they have yet to consistently define what metadata is.

The term metadata encompasses all digital information, excluding the core content. For phone calls, this includes location, time, duration and both phone numbers. For emails, it includes the subject, recipient addresses and attachments. For web surfing, it includes URLs, location, device type and even the images. Technically, the 140-character content of a tweet is contained in its metadata. In its Senate Committee submission regarding data retention, iiNet explained that “metadata reveals even more about an individual than the content itself”. Michael Hayden (former director of the NSA and the CIA) has admitted that “we kill people based on metadata”.

Attorney-General George Brandis has tried to downplay privacy concerns (via Sky News): “We’re not tracking the websites you visit, only the web addresses.” This is analogous to saying “we don’t care where you live, we only want your home address”. Brandis could not clarify whether “web address” means IP address, domain name or URL. Tony Abbott only added to the ambiguity (via ABC Radio): “Let’s be clear what this so called metadata is. … It’s not what you’re doing on the Internet. It’s the sites you’re visiting.”

The text you type into search engines is encoded into the URL of the results page. When you visit a Facebook page, the unique identification number of that page is encoded into the URL. Even if “address” means the IP address or domain name, a lot of sensitive information can still be deduced from such metadata. Grindr.com, beyondblue.com, pornhub.com and socialistalternative.org are all domain names which contain no content themselves. However, their presence in someone’s browsing history would reveal sensitive information that a reasonable person may want to keep private. (Online porn consumption is so ubiquitous that Montreal University researchers had to cancel a study about porn because they couldn’t find a single male over 20 years of age who hadn’t consumed it.)

Claiming that metadata is harmless is disingenuous. Metadata can tell you that someone called a suicide hotline from the Golden Gate Bridge, but it won’t tell you what that person talked about. Metadata can tell you that someone received a call from an HIV testing centre, then they immediately called their doctor, health insurance company and spouse. The metadata can’t tell you what was discussed, but it is fairly obvious.

Interestingly, whilst in opposition, Brandis opposed identical measures. The Coalition’s stance has changed, but Abbott himself said that the risk of terrorism in Australia “has not changed”. Despite this, the government wants universal data retention, an extra $630 million funding for intelligence agencies and the power to stop people travelling to Middle Eastern countries.

Most people have something to hide, even if they’ve done nothing wrong. Would you be at all reluctant to make public your academic transcript, bank account transaction history and unsanitised browsing history? If yes, you do have something to hide. Queer people should have the right to hide their identity if they want. HIV positive people and cancer patients should be able to keep their status’s hidden from the general public. Most of these examples could be deduced from metadata alone. Currently, law enforcement agencies require a warrant to access paper documents in your house. They do not require a warrant to access digital metadata. This is arbitrarily inconsistent.

Mandatory data retention is extremely expensive. Large telcos will each have to process and store up to one petabyte (1000 terabytes) per day. Over two years, that comes to more than 0.7 exabytes. This will cost each customer approximately $130 per year. Chief Regulatory Officer of iiNet, Steve Dalby, argues that “it is inappropriate to impose costs and obligations on unwilling commercial entities in order to create an intrusive police state”. Optus has made similar statements.

The government has claimed that telcos already collect the data that the government wants stored. This is false. iiNet said that “this suggestion…could be likened to saying, ‘You are going to the shops to get a litre of milk anyway, and so it’s no big deal to bring me the whole supermarket’”. The only information telcos require for billing is the quantity of data, date, time and outgoing phone numbers. It is not in their commercial interest to store anything else, therefore doing so would be a waste of resources.

These huge data honey pots would be of no commercial use to telcos. Security is not the core business of telcos, so they will lack the expertise that government security agencies have. This is more true of the smaller telcos. Inevitably, there will be breaches. Malicious individuals will be able to steal money from bank accounts. They can also hold sensitive information to ransom, forcing innocent customers to fork out blackmail money. The proposals and current laws don’t require telcos to notify customers of such breaches – voluntarily notifying customers of such incidents would be bad for businesses.

The law enforcement agencies themselves have a history of abusing their access to sensitive information. We have already seen from the Edward Snowden leaks that the Five Eyes (which includes Australian agencies) use their stored information and privileged access to destroy the reputation of their targets. Such targets are not limited to proven terrorists – they include ordinary, innocent citizens.

The original goal of this proposal was to help combat terrorism. This was soon broadened to include normal crime fighting. However, intelligence agencies already have the power to obtain warrants for all digital activities (not just metadata) of suspects and associates. Furthermore, it is trivially easy for moderately tech-savvy individuals and groups to circumvent this panopticon. The Attorney-General’s department has admitted that all it takes is the use of a Tor client or VPN, and telcos will not see what you are doing.

The government’s mandatory data retention proposals will not provide any extra security. Nonetheless, they will cost hundreds of dollars per person per year, and it is probable that the information will be stolen by malicious hackers and abused by our own government.